The Defense Department’s $6 billion supermarket chain needs tighter security for the secret keys fastening its hundreds of databases, Pentagon officials say.
Currently, those keys—lengthy, computer-generated passwords—essentially are stored underneath the doormat, beside personal and financial data, contracting documents show.
“In today’s solutions, the keys reside with the data and that is not acceptable,” Defense Commissary Agency officials said in a recent request for information from vendors.
The data at stake includes encrypted payment card industry, or PCI, data and personally identifiable information, or PII, agency spokesman Kevin Robinson told Nextgov. Scrambled in code indecipherable to hackers, the records contain credit card numbers and security codes from the back of the card, he said.
The commissary agency’s proposed system would make it possible, say, to deposit keys at DeCA’s Fort Lee, Virginia, headquarters for locking and unlocking remote databases at a server farm “in the cloud,” the contracting papers said.
The Pentagon embraces encryption while other parts of the government see it as an obstacle.
The FBI and other U.S. authorities want a copy of all keys or some other “backdoor” entry into encrypted data to intercept messages about terrorist plots and other life-or-death matters. Then, there are security experts, like technologist Bruce Schneier, who say there is no way to give the FBI that capability without weakening encryption against all adversaries.
Beyond using encryption to protect grocery store operations, the military deploys the data-scrambling feature in handheld radios, missile system data links and other communications devices to hide information from foes.
On Tuesday, FBI Director James Comey repeated a refrain from the past couple of years about encryption handicapping criminal investigations and said the bureau is collecting information about the challenge in preparation for an “adult conversation” next year.
Whatever the result of that conversation, the commissary agency’s future encryption system would have to adapt its features accordingly.
“In order to keep pace with changes in encryption standards, the vendor is required to be in compliance with the encryption guidance that the National Institute of Science and Technology publishes for federal agencies,” the RFI said. Computer algorithms that generate the encryption and decryption keys cannot be proprietary or “home-grown,” and must be industry tested and DOD approved.
While the 250-store grocery chain has not committed to buying anything, officials Aug. 24 said there’s a possibility an acquisition will take place in fiscal 2017.
The system, formally dubbed the Enterprise Encryption and Key Management Solution, would consist of commercial, currently available technology that stows encryption keys in a different location than the data in the agency’s 629 database environments, officials said.
“What DeCA does today is utilize the inherent encryption capabilities of the databases it uses such as Oracle and Microsoft SQL Server,” the contracting papers said. “The fundamental problem with this approach is not necessarily in the encryption but in the keys that enable the unencrypting of the data.”
Early last month, Oracle informed customers of a data breach in a corporate unit that runs MICROS retail payment terminals, which experts say could explain a rash of recent cashier data breaches at many hotels, shops and other bricks-and-mortar outlets, Fortune reported. Oracle said the hack did not affect its cloud services.
The future defense agency arrangement would “enable the keys to be maintained external to the data that has been encrypted” and support various cloud databases, the contracting papers said.
Commissaries at military bases offer defense personnel and their families discounts, equal to the actual cost of a product plus 5 percent, that could cut customer expenses by thousands of dollars a year, according to the agency.
The new system should allow a way for “securing of encryption keys generated by DeCA database platforms that natively encrypt PCI and PII data,” Robinson said in an email. “Additionally, the solution should provide alternatives to the local database native encryption features for PCI and PII data.”